• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Major Windows 10 security flaw announced by the US NSA -update your Win 10

Started by ssfc72, January 14, 2020, 03:20:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ssfc72

https://www.bbc.com/news/technology-51106356

Make sure you have your Windows 10 updated.   A patch has apparently just been issued. This is a major security flaw.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Thanks for sharing, Bill. I wondered what was meant by this:

QuoteIt could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.

Passed off in what way? Do they mean the Windows app store? BBC articles are always short on details.

Reading the CERT advisory on it and the Krebs article reveals some additional detail. It looks like websites can look to be legitimate by offering certificates that look like they were signed by an appropriate certificate authority but actually weren't. So they could spoof a website (with the same look) and get users to download software from it thinking it's legit and it's not. And because it looks like a legit certificate, the lock icon will appear at the top which will also make users trust the site since self-signed certificates generate a warning.

The vulnerability has existed in this library since the NT days so using Windows XP will be much more risky since security patches are no longer released for it. I know at least one member mentioned he still uses it.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on January 15, 2020, 04:18:59 AM
https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.

You have an eagle eye, Bill. I missed that part of the CERT advisory. Krebs suggested that in his article as the package in question has been there since the NT days. But I'd trust the advisory over what he says. Talk about irony that older versions of Windows are safe from it.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13